When accepting a connection as client or server, the engine takes the mechanism from the peer and implements the peers mechanism without ensuring hat it matches the mechanism set on the socket. This may allow an attacker to create a situation in which they can create a man-in-the-middle downgrade attack.
Upstream commit: https://github.com/hintjens/libzmq/commit/77f14aad95cdf0d2a244ae9b4a025e5ba0adf01a From a brief inspection, it appears as though zeromq and zeromq 3 in Fedora may not be affected.
Statement: This issue did not affect the versions of zeromq as shipped with Inktank Ceph Enterprise 1.2 and 1.3.
The fedora 20 release zeromq3-3.2.4-1.fc20.src.rpm ,is the same release that was audited by the inktank developers found to be not affected by this issue.